Metadata Keywords
Metadata keywords have no immediate effect on rule matching. However, they affect reporting when a rule matches.
msg
The keyword msg
contains textual information about the signature and the possible alert.
The format of msg is:
msg: "some description";
Examples:
msg:"ATTACK-RESPONSES 403 Forbidden";
msg:"ET EXPLOIT SMB-DS DCERPC PnP bind attempt";
Note
The following characters must be escaped inside the msg:
;
\
"
sid
The keyword sid
(signature ID) assigns an ID to every signature.
This ID is given with a number. The format of sid
is:
sid:123;
rev
rev
represents the version of the signature. Each time a signature is updated, rev
ought to be incremented.
Its format is:
rev:123;
classtype
The classtype
keyword provides information on the classification of
rules and alerts. It consists of a short name which can be translated as a
priority for reporting purposes.
This example reports a hit of class “trojan-activity”:
drop tcp any any -> any any (msg:"classtype example"; content:"placeholder"; \
classtype:trojan-activity; sid:1; rev:1;)
Tip
It is a convention that classtype
comes before sid
and rev
and after
the rest of the keywords.
reference
The reference
keyword provides additional information on the purpose of the rule and the attack it detects.
reference
can appear multiple times in a signature.
This keyword is meant for signature writers and analysts who investigate why a signature has matched.
It has the following format:
reference: type, reference
For example, a typical reference to www.genua.de would be:
reference: url, www.genua.de
In addition, there are also several systems that can be used as a reference. A commonly known example is the CVE-database that assigns numbers to vulnerabilities. You can refer to it as follows, for example:
reference: cve, CVE-2014-1234
This creates a reference to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234.
priority
Note
cognitix Threat Defender does not support this keyword.
metadata
With the metadata
keyword, additional, non-functional information can
be added to the signature.
The format is:
metadata: key value;
metadata: key value, key value;
The metadata
keyword is often used to code the signature creation
created_at
and last update timestamp updated_at
.
Example:
metadata:created_at 2010_09_23, updated_at 2010_09_23;